Seeing ACSSA Come to Life: Reflections from the IC49 Pilot Evaluator Training

Written by Lovington Dela Cruz, Global InfoSec Director (ICS/OT), Arcadis

When you help develop a certification scheme over several years, most of the work happens quietly in reviews, meetings, drafts and technical debates. Attending the pilot delivery of the ACSSA IC49 Evaluator Training was the first time that work came together in a practical way for me and my colleagues at Arcadis. As a global design, engineering and consultancy organization delivering critical infrastructure projects, cybersecurity is not theoretical for us; it directly affects how we design, build and operate real systems for asset owners.

I have been involved with the ISASecure® Site Assessment for Security Assurance (ACSSA) program since its early stages as part of the technical steering committee. From the outset, the objective was clear: to create a certification requirement that evaluates how service providers consistently apply ISA/IEC 62443 across the industrial automation and control system lifecycle. ACSSA was never meant to be a paper exercise. It was designed to provide confidence that security is embedded into governance, engineering practices, project delivery and ongoing operations, not added at the end to satisfy an audit.

The evaluator training itself provided a new and important perspective. For the first time, ACSSA certification was applied end-to-end through a structured case study in a classroom environment. Working through this exercise offered first-hand insight into how an asset owner would be assessed, how evidence is reviewed and how evaluator judgments are formed. It clarified what it genuinely takes for an organization to achieve ACSSA certification beyond written procedures.

What made the pilot particularly valuable was attending alongside Arcadis colleagues who were not involved in developing the standard. Their experience closely reflected how future evaluators and consultants will encounter the training, focused on application rather than authorship. That contrast led to productive discussions during and after the sessions about clarity, workload and how requirements translate into real project environments.

One colleague described the training as challenging but highly rewarding. Understanding evaluator expectations, such as how requirements are mapped, how consistency is judged and how conclusions are reached, helped shift thinking from producing documentation to demonstrating organizational capability. While the scope of documentation initially felt heavy, working through examples across ML1 to ML3 brought structure and reinforced the importance of repeatable processes.

Another colleague highlighted the value of seeing the assessment through an auditor’s lens early. Knowing what evaluators look for enables teams to align security documentation and risk assessments from the start, reducing challenges later in the certification process. As expected for a pilot, there was constructive feedback: some sections were dense, and access to core reference materials during training would support deeper understanding.

A third colleague noted how the training reinforced the engineering lifecycle perspective. Understanding how compliance is verified across assessment, design, implementation, operation and maintenance directly supports stronger delivery of IACS cybersecurity projects.

From our experience at Arcadis, the training represents a meaningful step toward building evaluator capability and strengthening confidence in ACSSA as a credible industrial cybersecurity assurance scheme.

Lovington Dela Cruz, P.Eng., is a Global Director and OT/ICS cybersecurity leader with over 25 years of experience in engineering, design and consulting for industrial control systems across the oil & gas, water, transportation and broader critical infrastructure sectors. His career has been shaped by extensive work within advisory environments, where he has helped asset owners translate complex operational requirements into secure, resilient and standards‑aligned system designs. 

Arcadis is a leading global partner, delivering some of the most transformative projects with businesses, cities and industries. With 34,000 people active in more than 30 countries, we bring together the best minds from around the world to deliver intelligent products and solutions across the environment, energy, water, buildings, transport and infrastructure sectors. Founded in 1888, we have more than 135 years of experience in bringing innovative and sustainable design, engineering and consultancy solutions for natural and built assets.